-/* $OpenBSD: x509_verify.c,v 1.64 2023/04/16 07:59:57 tb Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.65 2023/04/28 16:50:16 beck Exp $ */
/*
* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
*
if (!x509_vfy_check_revocation(ctx->xsc))
goto err;
- if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK &&
- !x509_vfy_check_policy(ctx->xsc))
+ if (!x509_vfy_check_policy(ctx->xsc))
goto err;
ret = 1;
-/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.118 2023/04/28 16:50:16 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
goto end;
/* If we get this far evaluate policies */
- if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
+ if (!bad_chain)
ok = ctx->check_policy(ctx);
end:
-/* $OpenBSD: x509_vfy.h,v 1.62 2023/04/25 18:32:42 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.63 2023/04/28 16:50:16 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
#define X509_V_FLAG_X509_STRICT 0x20
/* Enable proxy certificate validation */
#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
-/* Enable policy checking */
+/* Does nothing as its functionality has been enabled by default */
#define X509_V_FLAG_POLICY_CHECK 0x80
/* Policy variable require-explicit-policy */
#define X509_V_FLAG_EXPLICIT_POLICY 0x100
#define X509_VP_FLAG_LOCKED 0x8
#define X509_VP_FLAG_ONCE 0x10
-/* Internal use: mask of policy related options */
+/*
+ * Obsolete internal use: mask of policy related options.
+ * This should really go away.
+ */
#define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
| X509_V_FLAG_EXPLICIT_POLICY \
| X509_V_FLAG_INHIBIT_ANY \
-/* $OpenBSD: x509_vpm.c,v 1.36 2023/04/16 19:16:32 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.37 2023/04/28 16:50:16 beck Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2004.
*/
X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags)
{
param->flags |= flags;
- if (flags & X509_V_FLAG_POLICY_MASK)
- param->flags |= X509_V_FLAG_POLICY_CHECK;
return 1;
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_flags);
return 0;
}
}
- param->flags |= X509_V_FLAG_POLICY_CHECK;
return 1;
}
LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_policies);
-/* $OpenBSD: policy.c,v 1.9 2023/04/28 14:45:51 tb Exp $ */
+/* $OpenBSD: policy.c,v 1.10 2023/04/28 16:50:16 beck Exp $ */
/*
* Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020-2023 Bob Beck <beck@openbsd.org>
.want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
.want_legacy_error_depth = 0,
},
+ {
+ .id = "invalid leaf without explicit policy",
+ .root_file = CERTSDIR "/" "policy_root.pem",
+ .intermediate_file = CERTSDIR "/" "policy_intermediate.pem",
+ .leaf_file = CERTSDIR "/" "policy_leaf_invalid.pem",
+ .want_chains = 0,
+ .want_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
+ .want_error_depth = 0,
+ .want_legacy_error = X509_V_ERR_INVALID_POLICY_EXTENSION,
+ .want_legacy_error_depth = 0,
+ },
/* There is a duplicate policy in the leaf policy extension. */
{
.id = "1 in duplicate policy extension in leaf",
projects / openbsd / commitdiff